How to Track an Fight Malware, Ransomware, Botnets… using ntopng

Posted · Add Comment

Malware blacklists are not something new to ntopng. ntopng (including ntopng Edge) has integrated the emerging threats blacklist https://rules.emergingthreats.net for a long time. The 3.6 stable release also introduced some webmining blacklists, which would flag online mining sites and generate alerts.

Despite the new integrations, ntopng lacked the ability to inform the user about the lists currently in use and let them verify the update status of each list. For these reasons, we’ve decided to implement the Category Lists, which gives the uses full visibility and control on the lists ntopng uses.

The page displays all the lists currently supported by ntopng. A status badge indicates if the list has been downloaded successfully or has encountered errors. A list is now a general concept not limited to malware, it simply associates a list of IP/domains to a Category. In the future, user supplied lists could be supported thanks to the flexibility of this model.

As you can see from he above image, lists are downloaded either daily or hourly according to the preference you are setting. This is because malware lists are continuously updated and thus fresh information is compulsory to keep them effectively. The Num Hosts column reports the actual rules number loaded from the list. Lists are updated on a daily basis by default, however the update frequency can be changed from the edit dialog. It is also possible to disable each individual list. Another important improvement is the use of the disk to store the downloaded lists. In this way, downloading the list on every startup is not longer required and a host which is temporary unable to download new lists can still use the previously downloaded lists.

With this update, only available in the latest development version of ntopng, we have also integrated some new powerful blacklists:

Category Lists and Custom Category Hosts are powerful features that increase the usability of ntopng in terms of visibility and threat detection.

Whenever an attack is detected, ntopng reports you an alert as the one shown below that you can use to track the problem. Remember that if you have enabled continuous traffic recording in ntopng, you can download from within ntopng a pcap of the attack for full inspection.

If alerting is not enough and you wish to block such threats and to optimize the bandwidth usage, you’ll be pleased to know that ntopng Edge implements this and much more!